Enable 'loose' reverse-path filter mode on the container ingress netw…

…ork (and bump to v3.1.0)
newsnowlabs · Mar 6, 2021 · b9979d1 · b9979d1
1 parent 8a1ad26
commit b9979d1
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ For service container nodes:
 3. Map any connection mark on reverse path traffic to a firewall mark on the individual packets
 4. Create a custom routing table for each load-balancing node/TOS value/connection mark value/firewall mark value.
 5. Select which custom routing table to use, according to the firewall mark on the outgoing packet.
+6. Enable 'loose' reverse-path filter mode on the container ingress network interface.
 
 The daemon must be run on both load-balancer nodes and nodes running service containers, but the ingress network IPs of all nodes intended to be used as load-balancers must be specified using `--ingress-gateway-ips` as a launch-time argument.
 

diff --git a/docker-ingress-routing-daemon b/docker-ingress-routing-daemon
@@ -1,8 +1,8 @@
 #!/bin/bash
 
-VERSION=3.0.1
+VERSION=3.1.0
 
-# Ingress Routing Daemon v3.0.1
+# Ingress Routing Daemon v3.1.0
 # Copyright © 2020-2021 Struan Bartlett
 # ----------------------------------------------------------------------
 # Permission is hereby granted, free of charge, to any person 
@@ -279,6 +279,10 @@ docker events \
     # 3. Map any connection mark on outgoing traffic to a firewall mark on the individual packets.
     nsenter -n -t $NID iptables -t mangle -A OUTPUT -p tcp -j CONNMARK --restore-mark
 
+    # 3.1 Enable 'loose' rp_filter mode on interface $CIF (and 'all' as required by kernel
+    #     see https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)
+    nsenter -n -t $NID sysctl net.ipv4.conf.all.rp_filter=2 net.ipv4.conf.$CIF.rp_filter=2
+
     for NODE_IP in $INGRESS_NODE_GATEWAY_IPS
     do
       NODE_ID=$(echo $NODE_IP | cut -d'.' -f4)